Messaging Gateway

I was able to integrate LetsEncrypt certificates in SMG 10.7 but now that I upgraded to 10.8 it has stopped working.  Is anyone else out there doing this?  Here's what I did:

. Administration -> Settings -> Certificates

Click Add, fill in the fields, select CA Signed for type; create it, take the CSR and save it to me.csr

$ certbot certonly --manual --csr me.csr --preferred-challenges dns

That makes three files:

Certificate is saved at: 0000_cert.pem
Intermediate CA chain is saved at:  0000_chain.pem
Full certificate chain is saved at: 0001_chain.pem

Back in the SMG UI select Import and pick the full chain.  At this point I get an error "Cannot build a trusted certificate chain for the certificate. Please make sure that you have added all the necessary CA certificates" ... this didn't happen under 10.7 and R3 is listed in the CAs that are loaded.

Anyone else get further on this?

I was able to integrate LetsEncrypt certificates in SMG 10.7 but now that I upgraded to 10.8 it has stopped working.  Is anyone else out there doing this?  Here's what I did:

. Administration -> Settings -> Certificates

Click Add, fill in the fields, select CA Signed for type; create it, take the CSR and save it to me.csr

$ certbot certonly --manual --csr me.csr --preferred-challenges dns

That makes three files:

Certificate is saved at: 0000_cert.pem
Intermediate CA chain is saved at:  0000_chain.pem
Full certificate chain is saved at: 0001_chain.pem

Back in the SMG UI select Import and pick the full chain.  At this point I get an error "Cannot build a trusted certificate chain for the certificate. Please make sure that you have added all the necessary CA certificates" ... this didn't happen under 10.7 and R3 is listed in the CAs that are loaded.

Anyone else get further on this?

I was able to integrate LetsEncrypt certificates in SMG 10.7 but now that I upgraded to 10.8 it has stopped working.  Is anyone else out there doing this?  Here's what I did:

. Administration -> Settings -> Certificates

Click Add, fill in the fields, select CA Signed for type; create it, take the CSR and save it to me.csr

$ certbot certonly --manual --csr me.csr --preferred-challenges dns

That makes three files:

Certificate is saved at: 0000_cert.pem
Intermediate CA chain is saved at:  0000_chain.pem
Full certificate chain is saved at: 0001_chain.pem

Back in the SMG UI select Import and pick the full chain.  At this point I get an error "Cannot build a trusted certificate chain for the certificate. Please make sure that you have added all the necessary CA certificates" ... this didn't happen under 10.7 and R3 is listed in the CAs that are loaded.

Anyone else get further on this?

Hi Jordan,

My Let's Encrypt certificates are implemented via acme.sh with http challenge (no CSR needed), but it seems as if you are getting to the same place in the end if your process results in a valld fullchain.pem in a directory on your machine- is that right? The problem you are having is with the import in the UI afterwards, correct?

You should not actually have to go through all this every time you have to update the certificate. You should just be able to update the certificate in the UI, and it should match your fullchain pem to the existing private key: https://knowledge.broadcom.com/external/article/161689/updating-an-existing-tls-certificate-in.html. 

To your other point, R3 is an intermediate, not a CA. Do you also have ISRG Root X1 in that chain? 

I was able to integrate LetsEncrypt certificates in SMG 10.7 but now that I upgraded to 10.8 it has stopped working.  Is anyone else out there doing this?  Here's what I did:

. Administration -> Settings -> Certificates

Click Add, fill in the fields, select CA Signed for type; create it, take the CSR and save it to me.csr

$ certbot certonly --manual --csr me.csr --preferred-challenges dns

That makes three files:

Certificate is saved at: 0000_cert.pem
Intermediate CA chain is saved at:  0000_chain.pem
Full certificate chain is saved at: 0001_chain.pem

Back in the SMG UI select Import and pick the full chain.  At this point I get an error "Cannot build a trusted certificate chain for the certificate. Please make sure that you have added all the necessary CA certificates" ... this didn't happen under 10.7 and R3 is listed in the CAs that are loaded.

Anyone else get further on this?